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Executive summary 


Audit Methodology 


The Information Commissioner is responsible for enforcing and promoting compliance with data protection 
legislation, as well as the Freedom of Information Act 2000 (FOIA) and Environmental Information Regulations (EIR). 
Section 47 of the FOIA provides provision for the Commissioner to assess whether a public authority is following 
good practice, including compliance with the requirements of this Act and the provisions of the codes of practice 
under sections 45 and 46. The ICO sees auditing as a constructive process with real benefits for controllers and so 
aims to establish a participative approach. 


The purpose of the audit is to provide the Information Commissioner and Devon and Cornwall Police and Dorset 
Police (DCP & DP) with an independent assurance of the extent to which the information handling practices of DCP 
& DP, within the scope of this agreed audit, conform with the codes of practice under sections 45 and 46 of the 
FOIA. DCP & DP agreed to a consensual audit by the ICO of its compliance with the FOIA. 


It was agreed that the audit would focus on the following area: 


Scope area vescription 

Freedom of The extent to which FOI/EIR accountability, policies and procedures, performance 
Information (FOIL) measurement controls, and reporting mechanisms to monitor compliance are in 
place and in operation throughout the organisation. 
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Audits are conducted following the Information Commissioner’s audit methodology. The key elements of this are a 
desk-based review of selected policies and procedures, remote interviews with selected staff, and a virtual review 
of evidential documentation. 


Where weaknesses were identified recommendations have been made, primarily around enhancing existing 
processes to facilitate compliance with freedom of information legislation. In order to assist DCP & DP in 
implementing the recommendations each has been assigned a priority rating based upon the risks that they are 
intended to address. The ratings are assigned based upon the ICO’s assessment of the risks involved. DCP & DP’s 
priorities and risk appetite may vary and, therefore, they should undertake their own assessments of the risks 
identified. 


Audit Summary 


Freedom of Information There is a limited level of assurance that processes and procedures are 


(FOI) in place and are delivering freedom of information compliance. The 

audit has identified considerable scope for improvement in existing 

arrangements to reduce the risk of non-compliance with freedom of 
information legislation. 


*The assurance ratings above are reflective of the remote audit methodology deployed and the rating may not necessarily represent a comprehensive assessment of 
compliance. 
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Priority Recommendations 


All scope areas 
Breakdown of priority 
recommendations 


= Low 
= Medium 
m High 


E Urgent 
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Freedom of Information 


The bar chart above shows a breakdown of the priorities assigned to our recommendations made: 


e There were 2 urgent, 15 high and 4 medium priority recommendations. 
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Graphs and Charts 


Freedom of Information 
Assurance Rating Summary 


= High 
= = Reasonable 


= Limited 


= Very Limited 


The pie chart above shows a summary of the assurance ratings awarded. 19% high assurance, 12% reasonable 
assurance, 46% limited assurance, 23% very limited assurance. 
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Areas for Improvement 


e Review staffing levels for the Freedom of Information (FOI) team on a regular basis to ensure resource is 
sufficient for the amount of FOI requests that are received. Reviews should be reported to relevant 
governance boards. 

e Ensure all processes for the handling of FOI requests are formally documented in any relevant policies and 
procedures, including how personal information should be handled, the internal review procedure and how to 
conduct the public interest test (PIT) and apply the PIT. 

e Develop a quality assurance (QA) process which appropriately assesses the quality of FOI responses prior to 
release. Carry out dip sampling on completed requests to ensure the correct processes for handling requests 
is being followed. 

e Ensure staff with responsibilities for the handling FOI requests, both within the FOI team and in 
departments, are provided with FOI training suitable to their role. All staff across DCP & DP should receive 
training at induction on how to recognise and triage FOI requests which should be refreshed at regular 
intervals. 

e Pro-actively publish information through the publication scheme online. Ensure responsibilities for publishing 
information are clearly assigned across DCP & DP. 
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Disclaimer 
The matters arising in this report are only those that came to our attention during the course of the audit and are 
not necessarily a comprehensive statement of all the areas requiring improvement. 


The responsibility for ensuring that there are adequate risk management, governance and internal control 
arrangements in place rest with the management of Devon and Cornwall Police and Dorset Police. 


We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to 
any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it 
arising out of, or in connection with, the use of this report, however such loss or damage is caused. We cannot 
accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining 
from acting as a result of any information contained in this report. 


This report is an exception report and is solely for the use of Devon and Cornwall Police and Dorset Police. The 
scope areas and controls covered by the audit have been tailored to Devon and Cornwall Police and Dorset Police. 
and, as a result, the audit report is not intended to be used in comparison with other ICO audit reports. 
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